E-Mail ID Working Group Shuts Down Without Consensus

The Internet Engineering Task Force closed its working group Wednesday after it failed to agree on an e-mail authentication standard.

The Internet standards body ended debate over the standards in the MTA Authorization Records in DNS (MARID) working group after concluding that the group was unlikely to reach a consensus on the technical specifications for the Sender ID and Sender Policy Framework protocols. Instead of a set deployment standard, both technologies will be rolled out and tested by e-mail receivers and senders.

Microsoft's licensing terms and patent claims on key Sender ID technology used by e-mail receivers divided the working group. Open-source advocates strenuously objected to Microsoft's terms. Their objections led AOL on Sept. 15 to withdraw its support for Sender ID. AOL instead will deploy SPF, while publishing both SPF and Sender ID records for its outgoing e-mail.

"Concluding a group without it having achieved its goals is never a pleasant prospect, and it is always tempting to believe that just a small amount of additional time and energy will cause consensus to emerge," Ted Hardie, the working group's co-director, said in a statement sent to MARID's e-mail discussion list. "After careful consideration, however, the working group chairs and area [adviser] have concluded that such energy would be better spent on gathering deployment experience."

Microsoft agreed in May to merge its Caller ID protocol with Meng Wong's open-source SPF technology in an effort to have an industry-wide e-mail identity mechanism. Now the industry will have multiple identity standards, and the market will decide the most effective, said Wong, CTO of Pobox.com and creator of SPF.

"This constitutes official approval to 'Go ahead and experiment with this stuff, guys. We're not going to recommend one thing or another,'" he said. "The market gets to decide."

Wong said the working group's collapse would not derail the deployment of e-mail authentication protocols, which aim to fix a flaw in the e-mail architecture that gives senders anonymity. Scammers have taken advantage of this flaw to launch phishing attacks, in which an e-mail requests financial information in the guise of a message from a trusted source, like a bank.

Microsoft plans to begin checking incoming e-mail to MSN and Hotmail for Sender ID records in October; AOL will begin checking SPF records sometime this fall. Yahoo has its own authentication technology, DomainKeys, which it plans to deploy by the end of the year.

The Direct Marketing Association said it urges members to comply with both Sender ID and SPF.